In addition to CSRF token, verify the origin too

Add an additional layer of protection against CSRF by verifying the actual
origin of the request in addition to the CSRF token. We only do this check on
sites hosted behind HTTPS because only HTTPS sites have evidence to show that
the Referrer header is not being spuriously removed by random middleware
boxes.

1 files changed, 12 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 0a7bdef1a..0cd2c0c9a 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -35,6 +35,18 @@ Features
   https://github.com/Pylons/pyramid/pull/2413 and
   https://github.com/Pylons/pyramid/pull/2500
 
+- Added an additional CSRF validation that checks the origin/referrer of a
+  request and makes sure it matches the current ``request.domain``. This
+  particular check is only active when accessing a site over HTTPS as otherwise
+  browsers don't always send the required information. If this additional CSRF
+  validation fails a ``BadCSRFOrigin`` exception will be raised and may be
+  caught by exception views (the default response is ``400 Bad Request``).
+  Additional allowed origins may be configured by setting
+  ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
+  a non standard port) to allow. Subdomains are not allowed unless the domain
+  name has been prefixed with a ``.``. See:
+  https://github.com/Pylons/pyramid/pull/2501
+
 - Pyramid HTTPExceptions will now take into account the best match for the
   clients Accept header, and depending on what is requested will return
   text/html, application/json or text/plain. The default for */* is still